Using ICMP to Coordinate Systems

Using ICMP to Coordinate Systems1ICMPv6: Internet Control Message Protocol2

ICMPv6: Internet Control Message ProtocolErrormessages(1-127)Informationalmessages3ICMPv6: Internet Control Message ProtocolChecksumcalculation4

ICMPv6: Internet Control Message ProtocolBy including the pseudo header in its checksum, ICMPprotects against more than simple data corruption in transit.It also ensures that the systems’ protocolimplementations interface correctly. Suppose IPmistakenly delivers a UDP message to ICMP. Since thepseudo header includes the IP next header value and thisvalue differs for ICMP and UDP, the checksum will detectthis error.If the checksum is invalid, ICMP immediately discards suchdatagrams without further processing.5ICMPv6: Internet Control Message ProtocolSelecting a Source IP AddressRouterWhich interfaceaddress to use?ICMP standard provides four specific rules forselecting the source address.6

ICMPv6: Internet Control Message ProtocolSelecting a Source IP AddressFirstThe first two rules consider ICMP replies. The sourceaddress of the reply should be the same as thedestination address of the original (request) message.SecondIf the original message was sent to a multicast or anycastgroup, then the response should use as its source the IPaddress of the interface on which the request arrived.7ICMPv6: Internet Control Message ProtocolSelecting a Source IP AddressThe third rule applies to ICMP error messages.Error messages are often generated by systems that are notthe ultimate destination of the datagram in error.Therefore, it cannot use the original destination as theerror’s source. Instead, they should use a source addressthat provides the most information about error beingreported.For example, if the ICMP message is a Packet Too Bigerror, then its source should be the IP address of theinterface over which the original datagram would notfit.8

ICMPv6: Internet Control Message ProtocolSelecting a Source IP AddressUnsolicited ICMP messages, as well as those not coveredpreviously, follow the fourth rule. The source address forsuch messages should be an IP address of the link on whichthe message is transmitted.Neighbor discovery also constrains the destinationaddress of its ICMP messages. That destination must be alink-local address. (If the destination is multicast, then themulticast address must be of link-local scope.) Therestriction confines neighbor discovery to the local link,protecting against an accidental (or deliberate) “leaking” ofneighbor discovery beyond its intended scope.9ICMPv6: Internet Control Message ProtocolNeighbor Discovery (ND)Neighbor discovery lets a system identify other hostsand routers on its links.Systems learn about hosts on their links so that they canforward datagrams addressed to those hosts. Hosts learnof at least one router so they can forward datagrams tosystems not on their links.Nodes use the protocol to actively keep track of whichneighbors are reachable and which are not, and to detectchanged link-layer addressesReplace ARP, ICMP Router discovery, and ICMP Redirectused in IPv410

IPv6 ND Processes• Router discovery– Discover the local hosts on an attached link– Equivalent to ICMPv4 Router discovery• Prefix discovery– Discovery the network prefix– Equivalent to ICMPv4 address mask request/reply• Parameter discovery– Discovery additional parameter (ex: link MTU,default hop limit for outgoing packet)• Address autoconfiguration– Configure IP address for interfaces• Address resolution– Equivalent to ARP in IPv411IPv6 ND Processes (cont.)• Next-hop determination– Destination address, or– Address of an on-link default router• Neighbor unreachable detection (NUD)• Duplicate address detection (DAD)– Determine that an address considered for use in notalready in use by a neighboring node• First-hop redirect function– Inform a host of a better first-hop IPv6 address toreach a destination– Equivalent to ICMPv4 redirect12

ND messages• 5 ND messages:– Router solicitation– Router advertisement– Neighbor solicitation– Neighbor advertisement– Redirect• All ND message are send with hop limit = 255– If it is not set to 255, the message is silentlydiscarded– Provide protection from ND-based network attackslaunched from off-link nodes– Router can not have forwarded the ND message froman off-link node13ICMPv6: Internet Control Message ProtocolNeighbor Discovery14

ICMPv6: Internet Control Message ProtocolNeighbor DiscoveryLink-local address15ICMPv6: Internet Control Message ProtocolAddress ResolutionNeighbordiscovery comesinto play withthe first IPdatagram sentacross thenetwork (do theARP function).Suppose that theworkstationmust send adatagram to thePC.multicasti.e. ARP function16

ICMPv6: Internet Control Message ProtocolAddress ResolutionIf the workstation fails to get a response to its solicitation, itmay repeat the request an many as nine additional times. Toavoid straining the network, though, successive requests mustbe at least one second apart.(Fig. 5.5 The Neighbor solicitation message,the Hops = 255, if received the message which Hops lessthan 255 è the message has processed by router. i.e. Themessage go out of local link range, discard itDA IP is multicast address which appends the last 32-bit ofthe PC IP address to the 96-bit prefix FF02::1:0:0.)17ICMPv618

R=1: sent by routerS=1: responding to asolicitationO=1: Override cacheentry and update thecached link-layeraddressICMPv6OTarget linkaddress optionReply to the neighbor solicitation19ICMPv6Router Discovery (Router sends router advertisementpacket to the hosts on the link20

Router Advertisement MessageUse DHCP forIP address(Managedaddressconfiguration)Link-local multicastConfiguration for otherinformation21Router’s22

Possible options for router advertisementsSource link-layer addressThe link-layer address of the interface fromwhich the Router Advertisement is sent. Only used on linklayers that have addresses.MTU SHOULD be sent on links that have a variableMTU (as specified in the document that describes how torun IP over the particular link type). MAY be sent onother links.Prefix InformationThese options specify the prefixes that are onlink(net-ID) and/or are used for address autoconfiguration.23ICMPv6Router advertisement formatMax hops (255): recommend a maximum hop limit for anydatagram a host transmits, 0 means unspecifiedreachability timeout: suggest a time limit to place on neighborinformation that a host learns, If a host fails to hear from aneighbor within this time period, it can suspect that theneighbor is no longer reachable (time in milliseconds)reachability retransmission interval: limit the frequency ofneighbor solicitations for a destination (time in milliseconds)router lifetime: determine how long hosts should consider thesource of this message available (time in seconds). If this timeinterval passes without another router advertisement, hostsview the router as unavailable24

ICMPv6Router advertisement formatAn option defines a prefix address for the link. Links mayhave multiple prefixes, and thus router advertisementsmay include several options of this type.Routers advertise prefixes for two different reasons. First,they indicate which IP addresses refer to systems on thelink. If a destination IP address does not match a link’sprefix, the system is not on the link. Reaching thisdestination requires the services of a router. Prefixextensions used to indicate this information have the L bitset. Prefixes may also play a role in addressautoconfiguration. These prefixes have the A bit set.25ICMPv6Router advertisement formatvalid lifetime: determine how long the prefix will remainvalid, in the absence of further advertisements.preferred lifetime: used only for address autoconfiguration,indicate the number of seconds before a prefix becomeobsolete. An obsolete prefix may still be used so long as itsvalid lifetime has not expired.(Use 0xFFFFFFFF for infinite lifetime.)26

ICMPv6Router solicitation message27ICMPv6RoutersolicitationmessageWhen a routerresponds to asolicitation, itdoes so bysending a routeradvertisementdirectly to thesystem makingthe request (useunicast, notmulticast .All routers address28

ICMPv6RedirectionRouters solicitations and advertisements let a host find arouter, but they do not guarantee that a host finds thebest router for a particular destination.?29ICMPv6RedirectionMake the wrong choiceThe left router can most easily detect the problem. Thissituation calls for an ICMP redirect message, which tells thehost of a more efficient path to a particular destination.30

ICMPv6Redirection31ICMPv6Redirection32

ICMPv6RedirectionCopy oforiginaldatagramincluded128033ICMPv6Neighbor discovery : address resolution, routerdiscovery, and redirectionDetection the loss of a neighborEven on healthy networks, neighbors do not remainpresent indefinitely. Hardware can fail, a system maychange its interface card, or a mobile system can move to anew link. When these changes occur, systems mustrecognize the new topology and react appropriately. Theprocess by which systems learn of these changes isneighbor unreachability detection (NUD).34

ICMPv6Detection the loss of a neighborAs long as the local system has traffic to send to aneighbor, ICMP periodically probes the neighbor bysending it neighbor solicitations. If the neighbor respondswith a neighbor advertisement, and the advertisement hasthe S bit set (reply to solicitation), the neighbor remainsreachable. If the bit is clear, then the advertisement isunsolicited, and there is no guarantee that the neighboractually heard the solicitation (the path may be one-way).35ICMPv6Detection the loss of a neighborThe other bit in neighbor advertisements, the R bit, alsohas a role in NUD. When a host hears a neighboradvertisement from a system it believes to be a router, itshould check this bit. If the bit is clear, then theneighbor is no longer acting as a router. The localsystem should refrain from using this neighbor to forwardtraffic to distant destinations.36

ICMPv6Address AutoconfigurationIPv6 provides two ways to ease the administration of IPaddresses. The standards name them stateless addressautoconfiguration and stateful address configuration.The stateful approach relies on the Dynamic HostConfiguration Protocol. Stateless configuration isICMP’s responsibility.37ICMPv6Address AutoconfigurationTo insure that all configured addresses are likely to beunique on a given link, nodes run a "duplicate addressdetection" algorithm on addresses before assigning them toan interface. The Duplicate Address Detection algorithm isperformed on all addresses, independent of whether they areobtained via stateless or stateful autoconfiguration.38

ICMPv6Address Autoconfiguration39ICMPv6Address AutoconfigurationFlags in Router AdvertisementsM If set, hosts should not use address autoconfiguration,instead, they should rely on DHCP to determinetheir IP addressOIf set, hosts can use address autoconfiguration, butshould use DHCP for other configuration information40

ICMPv6Group Membership (Multicast Listener Query messages,like IGMP for IPv4)In addition to administering unicast IP addresses, ICMPalso manages group addresses. It provides a way forsystems to announce (and later renounce) their membershipin groups. Routers listen to these messages to trackgroup membership on the link. They can then knowwhether to forward datagrams addresses to specific groups.All group membership messages have the same format,but each message has its own ICMP type.41ICMPv6GroupMembershipType:130: Query131: Report (join,reply to query)132: Termination(leave)42

ICMPv6Group MembershipIn most cases, the messages are sent to the group address inquestion. The destination IP address will then be the same asthe multicast IP address in the message body. It is alsopossible to query for membership in all groups. In suchcases, the destination address is the All nodes address(FF02::1, local-link multicast), and the IP multicast addressis set to zero.maximum response delay (milliseconds): the maximumamount of time that a system may delay beforeresponding to the query. To prevent every group memberfrom responding simultaneously, each should delay arandom amount of time ranging from zero to the MRD.43ICMPv6Error ReportingHops:3Hops:2Hops:144

ICMPv6Error ReportingICMP timeexceeded error45ICMPv6Error ReportingTo avoid choking a network with error messages, ICMP hasspecific rules that define when error messages arepermissible.46

ICMPv6Error Reporting:DestinationUnreachable128047ICMPv6Error Reporting: Destination UnreachableRouting table can’t find a routeEX: firewallLayer 2 unreachableLayer 4 unreachable48

ICMPv6Error Reporting: Packet Too Big8000 bytesPacket too bigUnlike IPv4, fragmentation in IPv6 is performed only bysource nodes, not by routers along a packet's delivery path.49ICMPv6ErrorReporting:Packet TooBigActual MTU ofthe link thatcaused theproblem128050

ICMPv6Error Reporting: Time ExceededSystem generate Time Exceeded messages for tworeasons:1. Exhaustion of a datagram’s hop limit2. A system fails to complete reassembly of datagramfragments in a reasonable amount of time. This time limitshould range between 60 and 120 seconds. To avoidgenerating a lot of error messages for the same datagram,systems should only generate this error if the fragmentsthey have received include the fragment at offset zero.Once a system returns this Time Exceeded error, it shoulddiscard the fragments that it has been retaining.51ICMPv6ErrorReporting:TimeExceeded0: hop limitexhausted1: reassemblytime expired128052

ICMPv6Parameter Problemsend by router ordestination host whenerrors of IPv6 header orextension header0: invalidheader field1: unrecognizednext headervalue2: unrecognizedoption128053ICMPv6NetworkDiagnostics54

ICMPv6NetworkDiagnostics55